ECJ Advisor Clarifies Duties of Online Marketplaces Under GDPR and E-Commerce Directive

On the other hand, he said, such service providers act as data controllers with regard to the personal data of user advertisers registered on their websites, so they must verify their identity. AG opinions aren't binding on the ECJ but are often followed.

X v Russmedia Digital and Inform Media Press (Case C-492/23) arose from a claim against Russmedia, a Romanian company that owns an online marketplace. In August 2018, Russmedia published an ad whose content was "disparaging and offensive" toward an unidentified person, X, including photographs used without her consent and her telephone number. The identity of the person posting the ad wasn't verified prior to publication. Russmedia quickly removed the ad when X contacted it, but it remained accessible on other websites.

X sued Russmedia, claiming the advertisement violated her rights. The Court of First Instance, Romania, ordered the media company to pay X 7,000 euros for, among other things, improper processing of her personal data under the GDPR.

Russmedia appealed, and the Romanian Specialized Court upheld the appeal. It ruled that X's action was unfounded because Russmedia wasn't the author of the advertisement but merely provided a service for storing ads without being actively involved in their content; and that Russmedia was exempt from liability as an intermediary under the e-commerce directive. X appealed to the Court of Appeal, which asked the ECJ to clarify the relationship between the directive and the GDPR.